[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Static/dynamic uids/gids allocation

As I wrote earlier, I think we agreed on something like the text
below.  If we didn't I think we should :-).

If there is consensus this should go in one of the manual, perhaps
somewhere near policy 3.10.


User and group space allocation and ranges

Some uids and gids are reserved globally for use by certain packages.
Because some packages need to include files which are owned by these
users or groups, or need the ids compiled into binaries, these ids
must be used on any Debian system only for the purpose for which they
are allocated.  This is a serious restriction, and we should avoid
getting in the way of local administration policies.  In particular,
many sites allocate users and/or local system groups starting at 100.

Apart from this we should have dynamically allocated ids, which should
by default be arranged in some sensible order - but the behaviour
should be configurable.

The uid and gid ranges are as follows:

0-99: Globally allocated by the Debian project, must be the same on
every Debian system.  These ids will appear in the passwd and group
files of all Debian systems, new ids in this range being added
automatically as the base-passwd package is updated.

Packages which need a single statically allocated uid or gid should
use one of these; their maintainers should ask the base-passwd
maintainer for ids.

100-1000: Dynamically allocated system users and groups.  Packages
which need a user or group, but can have this user or group allocated
dynamically and differently on each system, should use `adduser
--system' to create the group and/or user.  adduser will check for the
existence of the user or group, and if necessary choose an unused id
based on the ranged specified in adduser.conf.

1000-29999: Dynamically allocated user accounts.  By default adduser
will choose uids and gids for user accounts in this range, though
adduser.conf may be used to modify this behaviour.

30000-59999: Reserved.

60000-64999: Globallty allocated by the Debian project, but only
created on demand.   The ids are allocated
centrally and statically, but the actual accounts are only created on
users' systems on demand.

These ids are for packages which are obscure or which require many
statically-allocated ids.  These packages should check for and create
if necessary the accounts in /etc/passwd or /etc/group (using adduser
if it has this facility).  Packages which are likely to require
further allocations should have a `hole' left after them in the
allocation, to give them room to grow.

65000-65533: reserved

65534: nobody

65535: (uid_t)(-1) == (gid_t)(-1).  NOT TO BE USED, because it is the
error return sentinel value.

Ian Jackson, at home.   ian@chiark.greenend.org.uk          + 44 1223 3 31579
General: ijackson@chiark.greenend.org.uk  Permanent: ijackson@gnu.ai.mit.edu
Churchill College, Cambridge, CB3 0DS.   http://www.cl.cam.ac.uk/users/iwj10/

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: